diff options
| author | Matt Caswell <matt@openssl.org> | 2017-10-13 14:36:32 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2017-10-16 15:52:19 +0100 |
| commit | 61278ff3f952570a3ca06d02b07502069cd78f55 (patch) | |
| tree | 5ba2fffd9a162e12ab47beede5f4efd3608a80cf /ssl | |
| parent | a2b97bdf3dbbd255ee24aa8a74cf88d4f7034898 (diff) | |
| download | openssl-61278ff3f952570a3ca06d02b07502069cd78f55.zip openssl-61278ff3f952570a3ca06d02b07502069cd78f55.tar.gz openssl-61278ff3f952570a3ca06d02b07502069cd78f55.tar.bz2 | |
Sanity check the HRR version field
The previous commit removed version negotiation on an HRR. However we should
still sanity check the contents of the version field.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4527)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/statem/statem_clnt.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index fdf5d45..338325f 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1569,6 +1569,13 @@ static MSG_PROCESS_RETURN tls_process_hello_retry_request(SSL *s, PACKET *pkt) goto f_err; } + /* TODO(TLS1.3): Remove the TLS1_3_VERSION_DRAFT clause before release */ + if (sversion != TLS1_3_VERSION && sversion != TLS1_3_VERSION_DRAFT) { + SSLerr(SSL_F_TLS_PROCESS_HELLO_RETRY_REQUEST, SSL_R_WRONG_SSL_VERSION); + al = SSL_AD_PROTOCOL_VERSION; + goto f_err; + } + s->hello_retry_request = 1; /* |